admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2020-04-22 23:03:18 +00:00
parent 9a37bba71d
commit d6420720db
1 changed files with 7 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
server/AyaNova/Controllers/AttachmentController.cs
View File

@@ -318,25 +318,17 @@ namespace AyaNova.Api.Controllers
//get user by key, if not found then reject //get user by key, if not found then reject
//If user dlkeyexp has not expired then return file //If user dlkeyexp has not expired then return file
var dlkeyUser = await ct.User.SingleOrDefaultAsync(m => m.DlKey == t && m.Active == true); var DownloadUser = await ct.User.AsNoTracking().SingleOrDefaultAsync(m => m.DlKey == t && m.Active == true);
if (dlkeyUser == null) if (DownloadUser == null)
{
await Task.Delay(nFailedAuthDelay);//DOS protection
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
}
//Make sure the token provided is for the current user
//bugbug: Is this not a bug, there's no way to set this properly is there?
long UserId = UserIdFromContext.Id(HttpContext.Items);
if (UserId != dlkeyUser.Id)
{ {
await Task.Delay(nFailedAuthDelay);//DOS protection await Task.Delay(nFailedAuthDelay);//DOS protection
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED)); return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
} }
//TODO: EVENT LOG THIS SHIT
var utcNow = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero); var utcNow = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);
if (dlkeyUser.DlKeyExpire < utcNow.DateTime) if (DownloadUser.DlKeyExpire < utcNow.DateTime)
{ {
await Task.Delay(nFailedAuthDelay);//DOS protection await Task.Delay(nFailedAuthDelay);//DOS protection
@@ -351,8 +343,9 @@ namespace AyaNova.Api.Controllers
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
} }
//is this allowed? //is this allowed?
if (!Authorized.HasReadFullRole(HttpContext.Items, dbObj.AttachToObjectType)) if (!Authorized.HasReadFullRole(DownloadUser.Roles, dbObj.AttachToObjectType))
{ {
await Task.Delay(nFailedAuthDelay);//DOS protection await Task.Delay(nFailedAuthDelay);//DOS protection
return StatusCode(403, new ApiNotAuthorizedResponse()); return StatusCode(403, new ApiNotAuthorizedResponse());
@@ -373,7 +366,7 @@ namespace AyaNova.Api.Controllers
} }
//Log //Log
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, dbObj.AttachToObjectId, dbObj.AttachToObjectType, AyaEvent.AttachmentDownload, dbObj.DisplayFileName), ct); await EventLogProcessor.LogEventToDatabaseAsync(new Event(DownloadUser.Id, dbObj.AttachToObjectId, dbObj.AttachToObjectType, AyaEvent.AttachmentDownload, dbObj.DisplayFileName), ct);
return PhysicalFile(filePath, mimetype, dbObj.DisplayFileName); return PhysicalFile(filePath, mimetype, dbObj.DisplayFileName);